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Abstract 

This work proposes a new distributed and self-organized authentica- 
tion scheme for Mobile Ad- hoc NETworks (MANETs). Apart from de- 
scribing all its components, special emphasis is placed on proving that the 
\*J proposal fulfils most requirements derived from the special characteristics 

r/2 of MANETs, including limited physical protection of broadcast medium, 

O frequent route changes caused by mobility, and lack of structured hierar- 

chy. Interesting conclusions are obtained from an analysis of simulation 
I experiments in different scenarios. 

^. Keywords: Authentication, Access Control, Mobile Ad-hoc Networks, 

V^ Cryptography 
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O 1 Introduction 

("**•) Services such as authentication, confidentiality, integrity, non-repudiation, avail- 

ed ability and access control are the main base for network security. Among all 

these facilities, authentication, which ensures the true identities of nodes, is 
^. the most fundamental one because other services depend fully on the correct 

V "~j authentication of communication entities. 

r% Mobile Ad-hoc NETworks (MANETs) may be described as autonomous net- 

C^ works formed by mobile nodes that are free to move at will. These networks 

have received increasing interest in the last years, partly owing to their potential 
applicability to many different situations, ranging from small, static networks 
that are constrained by power sources, to large-scale, mobile and highly dy- 
namic networks. Whilst conventional wired networks normally use a globally 
trusted Certificate Authority (CA) for solving the authentication problem, such 
a solution is not the best for MANETs. In fact, the authentication problem 
in MANETs is much more difficult to solve due to their characteristics such as 
the absence of a fixed infrastructure and centralized management, the dynamic 
nature and limited wireless range of nodes, the dynamic topology, frequent link 
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failures and possible transmission errors [T] [23]. Also, since all nodes must 
collaborate to forward data, the wireless channel is prone to active and passive 
attacks by malicious nodes, such as Denial of Service (DoS), eavesdropping, 
spoofing, etc. 

This work proposes a new distributed and self-organized authentication 
scheme for MANETs, which fulfils most requirements of this type of networks, 
including limited physical security, high node mobility and lack of infrastructure. 

This paper is organized as follows. In Section [2] some existing solutions are 
briefly described. Section [3] provides an overview of the proposed scheme, in- 
cluding general aspects and notation. Specific details about the five principal 
elements of the architecture, i.e. network initialization, node insertion, access 
control, proofs of life and node deletion are gathered in Section [4] The as- 
sumptions required by the proposed scheme and an analysis of its security are 
commented in Section [5] Section [6] provides a performance analysis developed 
under NS-2. Finally, some conclusions and open questions complete the paper. 

2 Related Work 

In 1999 Zhou and Haas |27 J suggested using threshold cryptography to secure 
MANETs. They proposed a distributed CA to issue certificates, but this idea is 
not applicable to ad- hoc groups since only selected nodes can serve as part of the 
certification authority, and contacting the distributed CA nodes in a MANET 
may be difficult. Luo et al. considered the same problem in [T!5] and Kong et 
al. in 16J. They proposed a set of protocols for ubiquitous and robust access 
control in MANETs, which allow every member to participate in access control 
decisions. Unfortunately, this scheme has been shown to be insecure in [14) . 

Another interesting identification paradigm that has been used in wireless 
ad- hoc networks is the notion of chain of trust [T3] , but it fails if malicious nodes 
are within the network. Another typical solution is location-limited authentica- 
tion, which is based on the fact that most ad-hoc networks exist in small areas 
and physical authentication may be carried out between nodes that are close 
to each other. However, the location-limited authentication is not feasible for 
large, group-based settings. 

Later, Kim et al. [H] developed a group access control framework based on a 
menu of cryptographic techniques, which included simple access control policies, 
such as static ACLs (Access Control Lists), as well as admission based on the 
decision of a fixed entity: external (e.g., a CA or a Trusted Third Party) or 
internal (e.g., a group founder). The main drawback of such a proposal is that 
those policies are inflexible and unsuitable for dynamic ad-hoc networks. For 
instance, static ACLs enumerate all possible members and hence cannot support 
truly dynamic membership, and admission decisions made by a Trusted Third 
Party (TTP) or a group founder violate the peer nature of the underlying ad-hoc 
group. 

Other authentication protocols that have been recently proposed for ad-hoc 
networks are the following. The work [IT] based on the RSA signature conducts 



to the problem of public key certification. Another recent paper [2T] provides a 
solution that works well, but just for short-lived MANETs. 

In conclusion, we may say that the design of new schemes that fulfil most 
requirements for this type of networks continues being considered an open ques- 
tion, and indeed is the main objective of this paper. 

Here we propose a new architecture for authentication in ad-hoc networks 
called Global Authentication Scheme for Mobile Ad-hoc Networks (GASMAN), 
which is based on the established cryptographic paradigm of Zero-Knowledge 
Proofs (ZKPs) [10]. Since the information sent while executing does not con- 
vey any secret related to the authentication process, ZKPs provide an elegant 
and fault-tolerant solution to node authentication in MANETs. As we will see 
in this paper, when comparing the GASMAN with existing proposals, several 
improvements are remarkable: 

1. In the proposed scheme all nodes play exactly the same role. In particular, 
there are no selected nodes serving as CA and admission decisions are not 
made by a TTP or a group founder but by the nodes themselves. 

2. The GASMAN has scalability and flexibility and is suitable for dynamic 
ad- hoc networks, thanks in part to that it is not based on any static 
structure such as ACLs. 

3. The proposal is feasible for group-based and long-lived MANETs. A key 
factor to achieve it is the fact that it is not based on location-limited 
authentication. 

4. Availability is guaranteed through insertion, deletion and access control 
procedures. 

5. Our architecture assures strong authentication to any legitimate node will- 
ing to join the network by using the ZKP implemented in the access con- 
trol. 

6. The GASMAN algorithms jointly with mobility help to reduce the time 
necessary for nodes to join and access the network in a timely manner. 

Summing up, the main features of the proposal are the adaptation to the 
varying topology of the network, the open availability of broadcast transmissions 
and the strong access control. 

Up to now, very few publications have mentioned the proposal of authen- 
tication systems for ad-hoc networks using ZKPs. Two of them are [5] and 
[25] . but none dealt with the related problem of topology changes in the net- 
work. Another recent ZKP-based proposal for MANETs related with the one 
proposed here was the hierarchical scheme described in 6 , where two different 
security levels were defined through the use of a hard-on-average graph problem, 
but again no topology changes were considered. On the other hand, two works 
that may be considered the seed of this work are [3] and [4] . The main differ- 
ences between the proposal of this paper and both references are the following: 



definition of node life-cycle, analysis of possible attacks, description of neces- 
sary assumptions, provision of a larger example, more data about performance 
analysis, and a comparison with existent solutions. 

3 Basics and Notation 

With the term authentication, here we refer to verification of users' identities. 
Another important concept in this paper is availability, which involves making 
network services or resources available to legitimate users in such a way that 
the survivability of the network is ensured despite malicious incidences. The 
architecture proposed in this paper is intended both for authentication and for 
availability. 

In particular, the protocol was designed as a strong authentication scheme 
for group membership since when a node wants to be part of the network, it has 
to be previously authorized by a legitimate node through a validation process 
of its identity against previously stored information by using cryptographic cre- 
dentials. According to [50], in any group member authentication protocol it is 
necessary to provide robust methods to insert and to delete nodes, as well as to 
allow the access only for legitimate members of the group. For that reason, not 
only the ZKP used for access control is described, but also the update proce- 
dures associated to insertions and deletions are carefully defined. For instance, 
the procedure to delete nodes is only initiated once a node has been discon- 
nected of the network for too long. The period of time after which the node is 
deleted is an important parameter (T) of the system here presented. 

Note that in this paper strong authentication does not refer to multi-factor 
authentication [9] since we consider just one factor for the authentication pro- 
cess. Consequently, the proposal could be improved by adding more factors to 
the authentication process, but even in such a case the strength of the scheme 
would be always bound to the secrecy under which the factors are kept. 

The access control described below is based on the general scheme of Zero- 
Knowledge Proof introduced in [5] , when using the Hamiltonian Cycle Problem 
(HCP). A Hamiltonian cycle in a graph is a cycle that visits each vertex exactly 
once and returns to the starting vertex. Determining whether such cycles exist 
in a graph defines the Hamiltonian Cycle Problem, which is NP-complete. Such 
a problem was chosen for our design mainly due to the low cost of the operations 
associated to the update of a solution. This is an important characteristic since 
in a highly dynamic setting such as MANETs these operations will be developed 
frequently. Anyway, there should be pointed out that similar schemes based on 
different NP-complete graph problems might be described. The only feature 
demanded to the chosen problems is that the solutions may be easily updated 
when small changes occur in the network. This is just the case of the Vertex 
Cover, Independent Set or Clique Problems, for instance. 

One of the key points to assure the correct operation of GASMAN is the use 
of a chat application through broadcast that makes it possible for legitimate 
on-line nodes to send a message to all on-line users. Such an application al- 



lows publishing all the information associated to the update of the network. In 
order to provide integrity of chat information, the sender could sign a hash of 
the chat message, and even such a hash could be encrypted using a symmetric 
cipher with the shared secret key. On the other hand, although secrecy is not 
necessary for chat messages because they are useless for illegitimate nodes, it 
is required that only the on-line legitimate nodes can execute the chat applica- 
tion. Consequently, prior authentication of the users of the chat application is 
required. To solve this matter, the access control based on ZKP described in 
Section IV. C could be used. 

The information received through the chat application during an interval of 
time must be stored by each on-line node in a FIFO queue. Such data should 
be stored by each on-line node, allowing in this way the updating of the authen- 
tication information not only to it but also to all the off-line legitimate nodes 
whose access will be granted. Such a period is an essential parameter in the 
system because it states both the maximum off-line time allowed for any legiti- 
mate node, and the frequency of broadcasting the proofs of life. Consequently, 
such a parameter should be previously agreed among all the legitimate nodes of 
the network. 

A generic life-cycle of a MANET has three major phases that are described 
below (see Figure 1): 

Initialization : 

Each initial member of the original network will be securely provided, 
either off-line or on-line, with a secret piece of information. The knowledge 
of the secret network key will be used during access control in order to 
prove the node's eligibility for accessing to the protected resources or to 
offer service to the network. After completing this stage, the legitimate 
nodes are ready to actively participate in the network. 

Access Control: 

The access control process allows a legitimate node to prove its network 
membership to an on-line node. These legitimate nodes must demonstrate 
knowledge of the secret network key by using a challenge-response scheme. 

On-line Session: 

Once the legitimate node reaches an on-line state in the network, it gets 
full access to protected resources such as the chat application. At the 
same time, it may offer services such as the insertion of new nodes. There 
should be taken into account that the secret network key will be updated 
according to the network evolution. Hence, if a node is off-line for too 
long, its secret key will expire. In such a case, the legitimate node would 
have to be re-inserted by an on-line legitimate node. 

Since in our proposal the secrecy of the network key is provided by the diffi- 
culty of the HCP, the number of on-line legitimate nodes is a crucial parameter. 
In consequence, as soon as the number of on-line legitimate nodes becomes 
too small (when comparing it with certain threshold parameter), the network 
termination is carried out and therefore, the life-cycle of the network ends. 




Figure 1: Node Life-Cycle 



A remarkable aspect of our proposal, which is shared with other previous 
proposals, is that no meaningful information may be stolen even if an adversary 
is able to read the whole information published through the chat application, 
or even if it eavesdrops the information exchanged between a legitimate prover 
and a legitimate verifier at the time of executing the access control protocol. 

In the following, the basic notation used throughout the proposal is ex- 
plained. 

• G t = {Vt, E t ) denotes the undirected graph used at stage t of the network 
life-cycle. 

• Vi G Vt represents both a vertex of the graph and a legitimate node. 

• n = \Vt\ is the order of Gt, which coincides with the number of legitimate 
nodes. 

• Nc t (vi) denotes the neighbours of node Vi in the graph Gt- 

• Il(Vt) represents a random permutation over the vertex set Vt 

• n(G() denotes the graph isomorphic to Gt built after applying permuta- 
tion U(V t ). 

• c € r C indicates that an element c is chosen at random with uniform 
distribution from a set C. 



• HCt designates the Hamiltonian cycle used at stage t. 

• H(HCt) represents the Hamiltonian cycle HCt in the graph II(Gt). 

• Nnc t ( v i) denotes the neighbours of node Vi in the Hamiltonian cycle HCt. 

• S and A stand for the supplicant and the authenticator, respectively. This 
notation is used both while an insertion phase and while the execution of 
a ZKP-based access control are carried out. 

• S ^ A symbolizes when node S contacts A. 

• A <H- S : information means that A and S agree on information 

• A — > S : information means that A sends information to S through a 
secure channel. 

• A —$■ S : information means that A sends information to S through an 
open channel. 

• A — > network : information represents when A broadcasts information 
to all on-line legitimate nodes. 

• A ++ network : information represents a two-step procedure where A 
broadcasts information to all on-line legitimate nodes of the network, 
and receives their answers. 

• h stands for a public hash function. 

• T denotes the threshold period that a legitimate nodes may be off-line 
without beingn excluded of the network. 

4 GASMAN description 

This section contains the description of the procedures that form part of the 
GASMAN architecture, including all the specific details about network initial- 
ization, node insertion, access control, proofs of life and node deletion. 

4.1 Network Initialization 

The proposed protocol requires the definition of an initialization phase where 
the secret information associated to the process of identification is generated 
and distributed within the initial network. This initialization phase consists in 
the definition of the graph used for the development of the protocol. Such a 
graph should be generated with the participation of all the original members of 
the network. Furthermore, the initialization phase also implies the distributed 
generation by the initial legitimate members of the network of a hard instance 
of the HCP in such a graph, task that was analysed in [17] . 



In our proposal, as in trust graphs, the vertex set corresponds to the set 
of nodes in the actual network during its whole life-cycle. Consequently, the 
initialization process starts from a set Vq of n vertexes corresponding to the 
nodes of the initial network. Hence, each vertex sub-index may be used as ID 
(IDentification) for the corresponding node. The first step of the initialization 
process consists of generating cooperatively and secretly a random permutation 
II of such a set. Once this generation is completed, each legitimate node should 
know a Hamiltonian cycle HCq corresponding exactly to such a permutation. 
Finally, the partial graph formed by the edges corresponding to such a Hamil- 
tonian cycle HC , is completed by adding n groups of ^ edges, producing the 
initial edge set Eq. Here, m stands for the number of edges that the initial graph 
will have after the initialization stage. Each one of these n groups of edges will 
be generated by Vi, i = 1,2, ...,n according to the following restrictions: they 
must have v% as one of its vertexes, while the other one will be randomly gener- 
ated. Note that the size — of those edge subsets must be large enough so that 
the size of the resulting edge set \E§\ = m guarantees the difficulty of the HCP 
in the graph Go- 

In general, finding Hamilton cycles is a difficult task even in relatively small 
graphs [23], [22j . However, since in our proposal it is necessary to guarantee the 
difficulty of the generated instance, we could use sparse pseudo-random regular 
graphs based on a generalization of knight's tours [TS]. After the individual pro- 
cesses described in the previous paragraph, in order to generate cooperatively 
and secretly such a graph, the authenticated Diffic Hcllmann key exchange pro- 
tocols could be used [7]. 

Initialization Algorithm 

Input: Vq, with \Vq\ = n. 

1. The n nodes of the network generate cooperatively, secretly and randomly 
the cycle HC =IL(V ) . 

2. \fvi S Vo, Vi builds the set 

N Go (i) = {{Vj e r V } U N HCo {i)} 

with\N Go (i)\ = ~- 

3. \/vi £ Vo : Vi — > network : 7V"<3 (i). 

4. \fvi £ Vo : Vi merges: 

#o= |J {(v^v^-.VjENa^i)}. 

i=l,2,...,n 

Output: G = (Vo, Eq), with |E | = m. 

Once the creation of the initial instance of the problem has been carried out 
through the contribution of all the nodes of the network, each node will know a 
Hamiltonian cycle in the resulting —-regular graph. From then on, each time 
a new user S wants to become a member of the network, it has to contact a 
legitimate member A in order to follow the insertion procedure explained in the 
following section. 



4.2 Node Insertion 

Let us suppose that we are at stage t of the network life-cycle when a user S 
contacts a legitimate member A of the network to become a member of the net- 
work. Once S has convinced A to accept its membership in, the first step that 
A should carry out is to assign S the lowest vertex number Vi not assigned so 
far in the vertex set Vt- Afterwards, A should broadcast such an assignment to 
all on-line legitimate nodes in order to prevent another simultaneous insertion 
with the same identifier. If A receives less than n/2 answers to the previous 
message, she stops the insertion procedure because the number of nodes that 
are aware of the insertion is not large enough. Otherwise, A develops the cor- 
responding update of the secret Hamiltonian cycle HCt by selecting at random 
two neighbour vertexes Vj and v k in order to insert the new node Vi between 
them. Additionally, A chooses at random a subset of — — 2 nodes in Vt such 
that none of them is its neighbour in HC t - Finally, A broadcasts the set of 
neighbours N G (v^) of S in the new graph Gt+i ■ 

Each time a node receives a graph update, it should secretly modify the 
corresponding Hamiltonian cycle. In order to achieve it, it uses the information 
provided to identify the unique position (according to the new edge set E t +i) 
in the cycle where the new node can be inserted. In this way, it will be able to 
easily update the secret network key by simply inserting the vertex Vi between 
the vertexes Vj and v k - At the same time, the authenticator node A must send 
the supplicant node S both the graph Gt+i (deploying an open channel), and 
the Hamiltonian cycle HCt+i (through a secure channel). 

Insertion Algorithm 

Input: At stage t a supplicant node S wants to become a member of the 
network. 

1. S^A. 

2. Node S convinces node A to accept its membership in the network. 

3. A assigns S the identifier vi such that i — min{l : v\ £ Vt} 

4. A ++ network : Vi 

4.1 If A receives less than n/2 answers, she stops the insertion procedure. 

4.2 Otherwise: 

4.2.1 A chooses: 

(vj,v k ) : Vj <G r V t ,v k G r N C H t {vj) 

4.2.2 A chooses at random: 

N Gt+1 {vi) = {v J ,v k }U{w 1 ,w 2 ,...,W2^_ 2 } 
such that N Gt+1 (vi) C V t A Vioj 1 ,tyj 2 : w h g N C H t (wi 2 )} 

4.2.3 A \ network : N Gt+1 (vA 



4.2.4 Each on-line node updates Gt by denning Vt+\ — Vt U {vt}, 
E t+1 =E t UN Gt+1 {vi) a.ndHCt+1 = #C t \{(^,Vfc)}U{(^-,^)lJ 

(Vi.Vfe)} 

4.2.5 A 4 Vi : G*+i 

4.2.6 AAv t : HC t +i 

Output: The supplicant node S becomes a legitimate member of the net- 
work. 

4.3 Access Control 

If a legitimate node S has been off-line or out-of-coverage from stage t and 
wants to re-enter into the network at stage r, its first step should be to contact 
a legitimate on-line member A. Afterwards, A should check whether the period 
S has been off-line is not greater than T. In this case, S has to be authenticated 
by A through a ZKP based on its knowledge of the secret solution HCt on the 
graph G t . 

The aforementioned ZKP begins with the agreement between A and S on 
the number of iterations I to execute. From there on, in each iteration, S will 
choose a random permutation Ilj(Vt) on the vertex set that will be used to 
build a graph n(Gt) isomorphic to Gt- The hash value of both the permutation 
h(Uj(V t )) and the Hamiltonian cycle in the graph h(Hj(HCt)) are then sent 
to A. When this information is received by A, it chooses a bit bj at random 
(bj E r {0,1}). Depending on the selected value, S will provide A with the 
image of the Hamiltonian cycle through the isomorphism, or with the specific 
definition of the isomorphism. In the verification phase, A will check that the 
received information was correctly built. 

Once the authentication of supplicant S has been successfully carried out, 
the authenticator A gives him the necessary information to have full access to 
the protected resources such as the chat application, for example. 

Access Control Algorithm 

Input: At stage r a supplicant node S that has been off-line since stage t 
wants to re-enter into the network. 

1. S^A 

2. S-^A:Gt 

3. A checks whether r — t < T 

4. if r — t > T then S is not authenticated 

5. otherwise: 

• 4h S :/ 

• for j = 1,2, •••,/ 
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5.1 S chooses Hj{V t ) and builds Uj(G t ) and Uj(HCt), the graph 
isomorphic to Gt and the corresponding Hamiltonian cycle, re- 
spectively. 

5.2 S A A : {h{U 3 {V t )), h{lij{HC t ))} 

5.3 A chooses the challenge bj E r {0, 1} 

5.4 A 4 5 : bj 

5.4.1 If fy = then S A A : {IIf(G 4 ), n^iJCj)} 

5.4.2 If bj = 1 then 5 A A : IL, 

5.5 A verifies that 

i. TLj(HCt)) is a valid Hamiltonian cycle in Hj(Gt), if 6j = 
ii. the hash function h applied on ilj(Gt) coincides with h(Hj(Gt)), 
iibj = l 

if 3j <G {1,2, ... ,1} such that the verification is negative, then S is 
isolated. 



• otherwise A — > S 1 : the necessary information to have full access to 
protected resources of the network. 

Output: Node S is connected on-line to the network. 

4.4 Proofs of Life 

All on-line legitimate nodes have to confirm their presence in an active way. Such 
a confirmation is carried out every period of time T. It consists in broadcasting 
a message (proof-of-lifc) to all on-line legitimate nodes. 

If some insertion happens during such a period, a proof of life of every on-line 
legitimate node will be distributed together with the information necessary for 
the insertion procedure. Otherwise, only the proof of life is required. During 
such a broadcast every node adds its own proof of life to the broadcast. In 
this way, when the broadcast reaches the last node, a broadcast back starts 
containing the proofs of life of all on-line legitimate nodes. 

Proof-of-Life Algorithm 

Input: At stage t node A is an on-line legitimate node of the network. 

1. A initializes its clock = just after its last proof of life. 

2. if clock > T then 

2.1 A ++ network : A' s proof of life 

2.1.1 If A receives less than n/2 proofs of life as answers to her broad- 
cast, she stops her proof of life and puts back her clock. 

2.1.2 Otherwise: A — > network : Received proofs of life 

Output: At stage t + 1 node A continues being an on-line legitimate node 
of the network of the network. 
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Note that the possibility that a legitimate, but malicious, node can broadcast 
a fake proof of life for other nodes exists. However, the potential impact of this 
threat may be considered low since it would imply just the possible life extension 
of some off-line nodes. 

4.5 Node Deletion 

The deletion procedure is mainly based on the confirmation of the active pres- 
ence of on-line legitimate nodes through their proofs of life. Each node should 
update its stored graph by deleting all those nodes that have not sent any proof 
of life after a period T. This fact implies that each node that has not proven 
its presence will be deleted from the network, as well as from the Hamiltonian 
cycle. 

Node deletions are explicitly communicated to all on-line legitimate nodes 
in the second step of broadcasts of proofs of life. This way to proceed allows 
any node that is off-line in that moment will be able to update its stored graph 
as soon as it gets access to the network. 

Deletion Algorithm 

Input: At stage t, a node Vi is an off-line legitimate node of the network. 

1. A initializes her clock = 0. 

2. if clock > T then 

2.1 Vvi G V t : A checks Vj's proof of life in A's FIFO queue. 

2.2 A updates Vt+\ = Vt \ {vi G Vt with no proof }. 

2.3 A updates E t +\ = E t \ {{vi,Vj) : Vi G Vt with no proof, Vj G 
N G t (v t )} U {(Vj,Vk) ■ Vj,V k G N HCt{v%) }. 

2.4 A updates HC t+1 = HC t \ {{vj, V;), (v t , v k )} U {Vj,v k ) : v t G V t with 
no proof, Vj,Vk G N HCt ( Vi ) 

3. If A started the broadcast used for the v^s deletion, A adds this informa- 
tion to the second step of the proof-of-life broadcast: A —>■ network : i>i is 
deleted. 

Output: At stage t + 1 the node m has been deleted both from the network 
and from the graph. 

This procedure guarantees a limited growth of the graph that is used in 
authentication, and at the same time, allows that always the legitimate nodes 
set corresponds exactly to the vertexes in that graph. Apart from this, it is 
remarkable the fact that thanks to this procedure the recovery of legitimate 
members of the network that have been disconnected momentarily is possible. 
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5 Assumptions and Security Analysis 

Note that the whole proposal is based on a single and shared secret network 
key and although the key is periodically updated, if a legitimate node is com- 
promised and reveals the shared secret key, the whole network would be com- 
promised [T2], [5]. Consequently, this proposal initially assumes the ideal en- 
vironment where all legitimate nodes are honest and where no adversary may 
compromise a legitimate node of the network in order to read its secret stored 
information. Such assumptions are well suited as a basic model in order to de- 
cide under which circumstances the GASMAN is applicable to MANETs. For 
instance, a possible adaptation of the proposal in order to avoid those hypothesis 
could be defining a threshold scheme to be used in every step of the GASMAN, 
so that every proof of life, insertion, access control or deletion operation should 
be done by a coalition of on-line nodes. Then, a dishonest node would not affect 
the correct operation of the network. 

It is clear that the proposal inherits some problems of the distributed trust 
model such as the important necessity that legitimate nodes cooperate. Conse- 
quently, it is advisable to include a scheme to stimulate node cooperation. 

Finally, another requirement of the GASMAN is the establishment of a se- 
cure channel for the insertion procedure. However, that aspect may be easily 
fulfilled thanks to the fact that most wireless devices are able to communicate 
with each other via Bluetooth wireless technology or through other more secure 
short range wireless methods. 

With respect to possible attacks and due to the lack of a centralized struc- 
ture, it is natural that possible DOS (Denial Of Service) attacks have as their 
main objective the chat application. In order to protect the GASMAN against 
this threat it must be assured that chat messages, although are publicly read- 
able, may be only sent by legitimate on-line members of the network. Another 
important aspect related to the use of the chat application is the necessary 
synchronization among the on-line nodes. In order to achieve it, we could use 
global time synchronization derived from the application of IEEE 802.11 Timer 
Synchronization Function to MANETs [26] . 

MANETs are especially vulnerable to different threats such as identity theft 
(spoofing) and the man-in-the-middle attack. Such attacks are difficult to pre- 
vent in environments where membership and network structure are dynamic and 
the presence of central directories cannot be assumed. However, our proposal is 
resistant to spoofing attacks because access control is granted through a ZKP. 
It implies that any information published through the chat application or sent 
openly during the execution of access control mechanism becomes useless. 

On the other hand, the goal of the man-in-the-middle attack is either to 
change a sent message or to gain some useful information by one of the inter- 
mediate nodes. Again, the use of ZKPs in our protocol implies that reading any 
transferred information does not reveal any useful information about the secret, 
so changing the message is not possible since only legitimate nodes whose access 
has been allowed can use the chat application. 

Another active attack that might be especially dangerous in MANETs is the 
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so-called Sybil attack. It happens when a node tries to get and use multiple 
identities. The most extreme case of this type of attacks is the establishment 
of a false centralized authority who states the identities of legitimate members. 
However, this specific attack is not possible against our scheme due to its dis- 
tributed nature. In the GASMAN, the responsibility of controlling general Sybil 
attacks will be shared among all the on-line nodes. If an authenticator node 
detects that a supplicant node is trying to get access to the network by using 
an ID that is yet being used on-line, such access control must be denied and the 
corresponding node must be isolated. The same happens when any on-line node 
detects that an authenticator node is trying to insert a new member into the 
network with a new ID, and such a node has yet assigned as a vertex ID. Again, 
such insertion must be denied and the corresponding supplicant node must be 
isolated. Anyway, if a Sybil attacker enters the network, any of its neighbours 
will detect it as soon as it sends proofs of life for different vertexes ID. 

Finally, in the proposal, an eavesdropping node could observe all the ex- 
changed messages and the zero-knowledge property guarantees that no impor- 
tant information about the shared secret is revealed. With respect to a possible 
play-back attack, by using the access control of our protocol, the on-line node A 
always can choose any random challenge, and the supplicant node S has to com- 
pute the correct response, which is later used by A to check if the authentication 
is successful. Therefore, previously used challenges and answers are useless. 

6 Performance Analysis 

We now analyze the efficiency of the proposal both from the energy consump- 
tion and from computational complexity points of view. We consider the energy 
consumption which is the result of transmissions of data and processor activ- 
ities due to authentication tasks. In the proposal there are two phases when 
computational overhead is more significant: the ZKP-based access control and 
the periodic checking of stored elements in the FIFO queue. A reduction on 
the number of rounds of ZKP has a direct effect on the total exchanged mes- 
sages size in insertions, but a trade-off should be maintained between protocols 
robustness and performance. Indeed, regarding total data transmission over 
wireless links, the ZKPs take less than 10% in a usual situation. 

The dominant time-consuming jobs are the periodic proofs of life, which 
accounts for around 90% of the total exchanged message size in many cases. 
However, we found that these compulsory proofs of life imply an incentive tech- 
nique for stimulating cooperation in authentication tasks. This is due to the 
fact that nodes that are broadcasters of deletion queries or authenticators in 
insertions or access controls are exempted from their obligation to broadcast 
their proofs of life. 

In order to reduce data communication cost, an increase on the threshold 
period T might be an option, but again an acceptable balance should be kept 
because T has implications also on storage requirements of the protocol. Accord- 
ing to our experiments, T should depend directly on the number of legitimate 



14 



=c= 



— 




Figure 2: Example of Final Associated Graph and Hamiltonian Cycle 

and/or on-line nodes in order to prevent a possible bandwidth overhead in large 
networks. 

For the performance analysis of the proposal we used the Network Simulator 
NS-2 with the DSR routing protocol. We created several Tel based NS-2 scripts 
in order to produce various output trace files that have been used both to do data 
processing and to visualize the simulation. Within our simulation we used the 
visualization tool of Network Animator NAM and the NS-2 trace files analyzer 
of Tracegraph. For the simulation of mobility we used the Setdest program in 
order to generate movement pattern files using the random Waypoint algorithm. 

An excerpt of the trace files corresponding to the an example of simulation 
is shown in Table [T] Basically it consisted of generating a scenario file that 
describes the movement pattern of the nodes and a communication file that 
describes the traffic in the network. These files were used to produce trace files 
that were analyzed to measure various parameters. 

The trace files are used to visualize the simulation using NAM, while the 
measurement values are used as data for plots with Tracegraph. The final graph 
and Hamiltonian cycle associated to the example network is shown in Figure 
2, where green is used to indicate the Hamiltonian cycle, blue is used for the 
inserted nodes and red is used for the edges deleted from the Hamiltonian cycle 
when inserting new nodes. 

In order to study the effectiveness of the GASMAN, we studied it in a set 
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Time Event HC 

0.1 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 arc legitimate 8,3,9,7,4,2,6,5,1,10,0 

1.2 Insertion of Node 14 is broadcast by Node 4 8,. ..,4, 14,2,. ..,0 

1.3 Nodes 3, 1, do not answer to proof of life 
3.2 Node is re-inserted by ZKP with Node 8 
8.6 Node 3 is re-inserted by ZKP with Node 4 

9.4 Node 1 is re-inscrted by ZKP with Node 10 

11.6 Node 1 turns off 
13.9 Proof of life started by Node 3 
14.2 Nodes 1, 2 do not answer to proof of life 
14.8 Node 2 is rc-insertcd by ZKP with Node 14 
17.2 Proof of life started by Node 2 
17.5 Nodes 1, 5 do not answer to proof of life 

21.7 Node 5 turns off 

31.4 Node 1 turns on and Node 2 is chosen for ZKP 

31.5 Node 4 turns off 
32.5 Proof of life started by Node 1 

32.8 Nodes 4, 5, 6 do not answer to the proof of life 
34.2 Node 6 is re-inscrtcd by ZKP with Node 2 

38.5 Proof of life started by Node 6 
38.7 Nodes 4, 5 do not answer to proof of life 

41.4 Node 1 turns off 

53.2 Node 1 turns on and Node is chosen for ZKP 

59.6 Proof of life started by Node 6 

59.9 Nodes 4, 5 do not answer to proof of life 

64.2 Node 5 is deleted 8,.. .,6, 1,10,0 

64.7 Node 2 turns off 

72.5 Node 4 turns on and Node is chosen for ZKP 

75.3 Insertion of Node 13 is broadcast by Node 14 8,. ..,2, 13,6,1, 10,0 

75.4 Node 2 does not answer to proof of life 

Table 1 : Example of Trace 
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of realistic scenarios. In particular, we used the most commonly used mobility 
model by the research community, the so-called Random Waypoint Model, which 
uses pause times and random changes in destination and speed. 

An extensive number of simulations using NS-2 simulator with 802.11 MAC 
and DSR routing protocols in order to see the effects of different metrics by 
varying network density and topology were run. Within the simulations, rela- 
tionships can be established anytime two nodes are located in close proximity 
and the random walk mobility model was used with various pause time and 
maximum speed. In particular, we varied the number of nodes from 15 to 100. 
Also, our architecture was evaluated with 250 x 250, 500 x 500, and 750 x 750 
m2 square area of ad-hoc network. In each case, the nodes move around with 0.5 
second pause time and 20m/s maximum speeds. The transmission range of the 
secure channel is 5 meters while that of the data channel is fixed to 250 meters. 
The period of simulation varied from 60 to 200 seconds. We also changed the 
probabilities of insertions and deletions in each second from 5% to 25%, in order 
to modify the mobility rate and antenna range of nodes from 2 to 15 m/s and 
100 to 250 meters respectively. This range also defines different frequencies of 
accesses to the network. 

The first conclusions we obtained from the simulations are: 

• The protocol scales perfectly to any sort of networks with different levels 
of topology changes. 

• Node density is a key factor for the mean time of insertions, but such a 
factor is not as big as it might be previously assumed since nodes do not 
forward two packets of data corresponding to the same proof of life coming 
from two different nodes. 

• A right choice of parameter T should be done according to number of 
nodes, bandwidth of wireless connections and computation and storing 
capacities of nodes. 



• 



A positive aspect of the proposal is that the requirements in the devices' 
hardware are very low. 
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7 Conclusions and Open Questions 

Successful authentication in mobile ad-hoc networks is critical for assuring se- 
cure and effective operation of the supported application. This work describes 
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a new authentication scheme, the so-called GASMAN, which has been specially 
designed for MANETs. Such a protocol supports knowledge-based member au- 
thentication in server-less environments. The overall goal of the GASMAN has 
been the design of a strong authentication scheme that is able to react and adapt 
to network topology changes without the necessity of any centralized authority. 
In order to avoid the transference of any relevant information, its core technique 
consists of a Zero-Knowledge Proof. Furthermore, the proposal is balanced since 
the procedures that the legitimate members of the network have to carry out 
when the network is updated (insertion or deletion of nodes) imply identical 
work for every legitimate member of the network. 

The development of an initial simulation of the proposal through the NS-2 
network simulator has been carried out. A statistical analysis of the proposal 
and a comparison of simulation results with other approaches will be included 
in a forthcoming version of this work. Finally, two important tasks included 
among future works are the improvement of formal description and verification 
of the proposal by using the BAN logic, and the implementation of the proposal 
on real devices to get the realistic processing performance. 
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